From: Austin J Eberle <ajeberle@us.ibm.com>
Date: Tue, 25 Sep 2018 22:45:58 +0000 (-0600)
Subject: nvme-cli: prevent resv action field overflow
X-Git-Tag: v1.7~58
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=ade15148bcab98dd32c5718488fbb2f6538105a9;p=users%2Fsagi%2Fnvme-cli.git

nvme-cli: prevent resv action field overflow

Signed-off-by: Austin Eberle <ajeberle@us.ibm.com>
Signed-off-by: Keith Busch <keith.busch@intel.com>
---

diff --git a/nvme-ioctl.c b/nvme-ioctl.c
index 2a8012cf..15d05192 100644
--- a/nvme-ioctl.c
+++ b/nvme-ioctl.c
@@ -267,7 +267,7 @@ int nvme_resv_acquire(int fd, __u32 nsid, __u8 rtype, __u8 racqa,
 		      bool iekey, __u64 crkey, __u64 nrkey)
 {
 	__le64 payload[2] = { cpu_to_le64(crkey), cpu_to_le64(nrkey) };
-	__u32 cdw10 = racqa | (iekey ? 1 << 3 : 0) | rtype << 8;
+	__u32 cdw10 = (racqa & 0x7) | (iekey ? 1 << 3 : 0) | rtype << 8;
 	struct nvme_passthru_cmd cmd = {
 		.opcode		= nvme_cmd_resv_acquire,
 		.nsid		= nsid,
@@ -283,7 +283,7 @@ int nvme_resv_register(int fd, __u32 nsid, __u8 rrega, __u8 cptpl,
 		       bool iekey, __u64 crkey, __u64 nrkey)
 {
 	__le64 payload[2] = { cpu_to_le64(crkey), cpu_to_le64(nrkey) };
-	__u32 cdw10 = rrega | (iekey ? 1 << 3 : 0) | cptpl << 30;
+	__u32 cdw10 = (rrega & 0x7) | (iekey ? 1 << 3 : 0) | cptpl << 30;
 
 	struct nvme_passthru_cmd cmd = {
 		.opcode		= nvme_cmd_resv_register,
@@ -300,7 +300,7 @@ int nvme_resv_release(int fd, __u32 nsid, __u8 rtype, __u8 rrela,
 		      bool iekey, __u64 crkey)
 {
 	__le64 payload[1] = { cpu_to_le64(crkey) };
-	__u32 cdw10 = rrela | (iekey ? 1 << 3 : 0) | rtype << 8;
+	__u32 cdw10 = (rrela & 0x7) | (iekey ? 1 << 3 : 0) | rtype << 8;
 
 	struct nvme_passthru_cmd cmd = {
 		.opcode		= nvme_cmd_resv_release,
diff --git a/nvme.c b/nvme.c
index 1e9359a2..24325293 100644
--- a/nvme.c
+++ b/nvme.c
@@ -3724,6 +3724,12 @@ static int resv_register(int argc, char **argv, struct command *cmd, struct plug
 		goto close_fd;
 	}
 
+	if (cfg.rrega > 7) {
+		fprintf(stderr, "invalid rrega:%d\n", cfg.rrega);
+		err = EINVAL;
+		goto close_fd;
+	}
+
 	err = nvme_resv_register(fd, cfg.namespace_id, cfg.rrega, cfg.cptpl,
 				!!cfg.iekey, cfg.crkey, cfg.nrkey);
 	if (err < 0)